Draft Newest approved | Approver: psycore
This is an old revision of the document!
nmap SMBv1 Scan via Script
still untested
The following modifications must be made to enable a pure SMBv1 scan using the nmap script:
nmap/nselib/smb.lua
Insert the following function:
function list_smbv1dialect(host, overrides) local supported_dialects = {} local status, smb1_dialect local smbstate overrides = tableaux.tcopy(overrides or {}) -- Check for SMBv1 first stdnse.debug2("Checking if SMBv1 is supported") status, smbstate = start(host) if(status == false) then return false, smbstate end status, smb1_dialect = negotiate_v1(smbstate, overrides) if status then --Add SMBv1 as a dialect table.insert(supported_dialects, smb1_dialect) end stop(smbstate) -- Finish SMBv1 and close connection status, smbstate = start(host) if(status == false) then return false, smbstate end return true, supported_dialects end
nmap/scripts/smbv1.nse
local smb = require "smb" local stdnse = require "stdnse" local nmap = require "nmap" description = [[list_smbv1_servers_only._the_script_attempts_to_initiate_a_connection_using_the_dialects:nt_lm_0.12_smbv1_additionally_if_smbv1_is_found_enabled_it_will_mark_it_as_insecure._this_script_is_the_successor_to_the_removed_smbv2-enabled_script]] --- -- @usage nmap -p445 --script smbv1 <target> -- @usage nmap -p139 --script smbv1 <target> -- -- @output -- | smb-protocols: -- | dialects: -- | NT LM 0.12 (SMBv1) [dangerous, but default] -- -- @xmloutput -- <table key="dialects"> -- <elem>NT LM 0.12 (SMBv1) [dangerous, but default]</elem> -- </table> --- author = "Paulino Calderon, modded by PsyCore" license = "Same as Nmap--See https://nmap.org/book/man-legal.html" categories = {"safe", "discovery"} hostrule = function(host) return smb.get_port(host) ~= nil end action = function(host,port) local status, supported_dialects = smb.list_smbv1dialect(host) if status then for i, v in pairs(supported_dialects) do -- Mark SMBv1 as insecure if v == "NT LM 0.12" then supported_dialects[i] = v .. " (SMBv1) [dangerous, but default]" end end if #supported_dialects > 0 then local output = stdnse.output_table() output.dialects = supported_dialects return output end end stdnse.debug1("No dialects were accepted") if nmap.verbosity()>1 then return "No dialects accepted. Something may be blocking the responses" end end
Start scan
nmap -p139,445 --script smbv1 <target>